nerdexam
ExamsGCIHQuestions#463
GIAC

GCIH · Question #463

GCIH Question #463: Real Exam Question with Answer & Explanation

The correct answer is B: Containment. You are in the containment phase of the incident handling process. The eradication phase will kick in once you remove the administrative account and any remnants of the attack and isolate the cause of the compromise, and the recovery phase will occur when the system is brought ba

Incident Response & Cyber Kill Chain

Question

You have responded to the breach of an internal file server that contains highly confidential strategic information. The attacker compromised the server and created a local administrator. The compromise was discovered quickly, and the network cable was disconnected from the server. Management has decided that they do not want to risk any bad publicity and will not seek prosecution of the attacker. IT management will allow you to rebuild the server over the weekend. Until then, you create a plan to lock the administrator account, block RDP traffic with a firewall rule, and create email alerts on network traffic and from the affected server. What phase of the incident response process is addressed by your plan?

Options

  • ARecovery
  • BContainment
  • CEradication
  • DIdentification

Explanation

You are in the containment phase of the incident handling process. The eradication phase will kick in once you remove the administrative account and any remnants of the attack and isolate the cause of the compromise, and the recovery phase will occur when the system is brought back online. The identification phase has already occurred when the compromise was discovered.

Topics

#containment#breach response#incident phases#RDP blocking

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full GCIH Practice